Protecting the CNIProtecting the CNIBCS ELITE BCS ELITE 9 June 20059 June 2005

Mick MorganMick MorganHead of ResponseHead of Response

OverviewOverview

• What is NISCC?What is NISCC?• What is the CNI?What is the CNI?• What is the threat?What is the threat?• How does NISCC work?How does NISCC work?• NISCC products and servicesNISCC products and services

What is NISCC ?NISCC is an inter-departmental centre which co-ordinates activity across a range of organisations. Each organisation contributes resources and expertise to NISCC’s programme of work according to what value it can add.

NISCC’s aim is to minimise the risk to the Critical National Infrastructure (CNI) from electronic attack (eA).

Security

~ Police~ MI5~ CESG

Defence

~ MOD~ DSTL

contribute to

Civil Government

~ Home Office~ Trade & Industry ~ Cabinet Office

An Interdepartmental CentreAn Interdepartmental Centre

What is the CNI?What is the CNI?

Those parts of the United Kingdom’s infrastructure Those parts of the United Kingdom’s infrastructure for which continuity is so important to national life for which continuity is so important to national life that loss, significant interruption or degradation of that loss, significant interruption or degradation of service would have service would have life-threateninglife-threatening, , serious serious economiceconomic or other or other grave social consequencesgrave social consequences for for the the communitycommunity, or would otherwise be of , or would otherwise be of immediate immediate concern to the Government.concern to the Government.

The CNI SectorsThe CNI Sectors

• TelecommunicationsTelecommunications• EnergyEnergy• FinanceFinance• Government & Public Government & Public

ServicesServices• Water and SewerageWater and Sewerage• Health ServicesHealth Services• Emergency ServicesEmergency Services• TransportTransport• HazardsHazards• FoodFood

The ThreatThe Threat

Foreign States

Terrorists

Activists

Criminals

Hackers

Script Kiddies

NISCC Interest Visible Activity

““The use of computers to gain The use of computers to gain unauthorised access to the data or unauthorised access to the data or control software of computer-based control software of computer-based systems in order to systems in order to acquireacquire or or corruptcorrupt data or data or disruptdisrupt the functioning of the functioning of systems.”systems.”

January 2002January 2002

Electronic attack (eA) : What is it?Electronic attack (eA) : What is it?

Two types of eATwo types of eA

Untargeted attacks: Indiscriminate attacks affecting availability & many targetsExamples: Worms, virusesProfile: High Impact: Short term high

Targeted attacks: These focus on a particular target addressExamples: Hacking attacks, e-mail Trojan attacksProfile: Generally low Impact: Can be high & long term

1. Greater exploitation of richness of software & speed of wired/wireless networks

2. Growing online markets in malicious software & stolen information

3. Impact of globalisation eg data ‘offshoring’ & outsourcing of system procurement, services & maintenance

4. Developing eA capabilities of terrorists5. Concerns about sophisticated eAs:

Difficult to detect; may be impossible to mitigate

2005+: Emerging threat themes2005+: Emerging threat themes

Exploiting a rich environmentExploiting a rich environment

Malicious code seeks to infect ‘fast & furiously’; attackers take control; victims become future ‘seeders’ …

More data available on-line … more stealing … exploiting opportunities in feature-rich software

Attack infrastructure development: Networks of ‘botnets’ can be easily controlled for DDoS, spam, data egress etc … 1000s of ‘zombies’ out there!

Underpinned by growth & increased speed of broadband & mobile networks

Exploiting Broadband - Exploiting Broadband - BotnetsBotnets

A roBOT NETwork or ‘botnet’ is a network of compromised computers controlled by a client, a ‘botherder’ that issues commands via control or master servers

Command & control was Internet Relay Chat (IRC) but now can be any real time protocol inc Instant Messaging (IM)

The nodes of the ‘botnet’ (compromised PCs often called drones or zombies) are used to: Compromise other computers Flood targets (DDoS) Propagate spam email Sniffing, keylogging, mass id theft Egress data …

DIY: Much bot source code is available on the Internet Rent: Nets of 10-50,000+ attack zombies available …

The growing online The growing online marketplacemarketplace

‘Goodbye kudos, hello $$££ … roubles?!’ Exploits for £££ … not for fun! Markets for:

botnets: Just name your price & target! malware: ‘zero-day’ exploits for purchase by

all! harvested info: CC nos, bank details, ids,

passwords processing time: on other people’s PCs!

Researchers motivated to discover more vulnerabilities

Faster ‘flash to bang’ times

Impact of globalisationImpact of globalisation

Global market brings advantages .. & risks Profits linked to globalisation BUT … Equipment purchased overseas might have

additional vulnerabilities; manufacturers might be subject to political pressure

Installation, maintenance & upgrade services provided from overseas are exploitable

Outsourcing services & offshoring data to foreign companies brings hard to manage risks: monitoring contracts is very difficult

How NISCC worksHow NISCC works

Critical National Infrastructure

Research and Development. Policy

ResponseOutreachThreat

Assessment

How does NISCC work?How does NISCC work?

Investigation and Assessment

Critical National Infrastructure

Research and Development. Policy

ResponseOutreach

Investigating and Assessing the ThreatInvestigating and Assessing the Threat

• Making best use of technical, human and open Making best use of technical, human and open sources to investigate.sources to investigate.

• Analysis and assessment.Analysis and assessment.• Reports and specific threat assessments.Reports and specific threat assessments.• Disruptions.Disruptions.

How does NISCC work?How does NISCC work?

OutreachInvestigation and

Assessment

Critical National Infrastructure

Research and Development. Policy

Response

OutreachOutreach

Promoting Protection and Assurance:Promoting Protection and Assurance:

• Dialogue with all CNI sectorsDialogue with all CNI sectors• Facilitating information exchangesFacilitating information exchanges• Tailored reportsTailored reports

How does NISCC work?How does NISCC work?

Response

Critical National Infrastructure

Research and Development. Policy

OutreachInvestigation and

Assessment

ResponseResponse

• Briefings and alerts via UNIRASBriefings and alerts via UNIRAS• Responsible disclosure of vulnerabilitiesResponsible disclosure of vulnerabilities• Assistance with recovery from direct attacksAssistance with recovery from direct attacks

NISCC Monthly BulletinNISCC Monthly Bulletin of significant eA activity of significant eA activity NISCC QuarterlyNISCC Quarterly ReviewReview has broader articles on CIP has broader articles on CIP

issuesissues NISCC BriefingsNISCC Briefings address topics of current concern address topics of current concern UNIRAS AlertsUNIRAS Alerts highlight vulnerabilities to be fixed highlight vulnerabilities to be fixed

nownow!! UNIRAS BriefingsUNIRAS Briefings inform on emerging technical inform on emerging technical

issuesissues UNIRAS Technical NotesUNIRAS Technical Notes provide detailed advice provide detailed advice Details at Details at www.niscc.gov.ukwww.niscc.gov.uk or or www.uniras.gov.uk www.uniras.gov.uk or or

e-mail e-mail enquiries@niscc.gov.ukenquiries@niscc.gov.uk

NISCC ProductsNISCC Products

Outreach products Outreach products

NISCC reporting:NISCC reporting:• Threat assessments for Threat assessments for

specific CNI companies;specific CNI companies;• UNIRAS (UK CERT) UNIRAS (UK CERT)

distribution to the CNI;distribution to the CNI;• Presentations to Seminars, Presentations to Seminars,

Forums & Associations;Forums & Associations;• WARPs, Information WARPs, Information

Exchanges;Exchanges;• CNI Assurance Reports.CNI Assurance Reports.

NISCC Assurance Reportfor

National Infrastructure plc

September 2003

Protecting the CNIProtecting the CNIBCS ELITE BCS ELITE 9 June 20059 June 2005

www.niscc.gov.ukwww.niscc.gov.uk

Mick MorganMick MorganHead of ResponseHead of Response